Some businesses may leverage a security concept of "least permissions","least privileged user" or "least privilege model". In that case, the use of Domain Administrator accounts may not be desirable.  
This article defines the least amount of Active Directory (AD) domain permissions an AD user needs on an Organizational Unit (OU) or Computers container to successfully join a vCenter Server appliance in to an AD domain.

Symptoms:

• Joining vCenter Server Appliance or ESXi host into the Active Directory domain fails.
• You see the error :

• Running the command "/opt/likewise/bin/domainjoin-cli join [domain] [user name] [password]" to join domain with restricted user account fails with error:

VMware vSphere ESXi 6.7
VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 6.5
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.5.x

vCenter Server Appliance and ESXi will not be able to join the domain unless the user performing the join has the correct permissions in Active Directory.

This may also take place if the ESXi host already exists as an entry in AD; ensure any stale instances of the host being joined are removed.

Microsoft has documented minimally required permissions.

• Reset Password
• Read and write Account Restrictions
• Validated write to DNS host name
• Validated write to service principal name
• Create and Delete Computer objects

The additional permission required is Read/Write public information and Description.

Below steps needs to be performed if the user does not already have the required permissions to assign permissions to AD user in the domain in order for the user to join an appliance into the domain. For more information, see Microsoft Support Article.

This is only an example: 

1. Click Start, click Run, type dsa.msc, and then click OK.
2.  In the task pane, expand the domain node.
3. Locate and right-click the OU that needs to be modified, and then click Delegate Control.
4.  In the Delegation Control Wizard, click Next.
5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
6.  In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
7.  Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
8. Click Next.
9. In the Permissions list, click to select the following check boxes:

• Reset Password
• Read and write Account Restrictions
• Validated write to DNS host name
• Validated write to service principal name
• Read/Write public information
• Read/Write Description

10. Click Next, and then click Finish.
11. Close the Active Directory Users and Computers MMC snap-in.
12. Login to the VCSA shell with SSH by going to the IP/DNS name of the VCSA.
13. Activate the bash shell.

14. Verify Integrated Windows Authentication (IWA) has been removed from vCenter Single Sign-On Identity Sources.  Remove a vCenter Single Sign-On Identity Source using the Web Client. For more information, see Remove a vCenter Single Sign-On Identity Source.
15. Perform domain leave to ensure partially joined domain state, if any, in previous attempts will clean up.  Use the domainjoin-cli tool to leave the domain.

 

16. Use the domainjoin-cli tool to join the domain:

17. Run this command to reboot the appliance:

18. Add AD as a vCenter Single Sign-On Identity Source using the Web Client Option: Active Directory (Integrated Windows Authentication). For more information, see Add a vCenter Single Sign-On Identity Source